Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Sunday, October 17, 2010

It is time for the web browser vendors to embrace privacy by default

Three times over the past six months, web browsers' referrer headers have played a major role in major privacy issues. Much of the attention has reasonably been focused on the websites that were leaking their users' private data (in some cases, unintentionally, but at least in Google's case, intentionally). It may be time to focus a bit of attention on the role that the web browser vendors play, and in the pathetic tools they offer to consumers to control this form of information leakage.

The root of the current focus by privacy advocates on the browser referrer header stems from a paper (pdf download) written two researchers last year, who found that Facebook, MySpace and several other online social networks were leaking the unique IDs of their users to behavioral advertising networks. Furthermore, according to a class action lawsuit filed last week, Facebook actually began to leak even more information to advertisers, including users' names, starting in February of this year. It wasn't until the Wall Street Journal called up MySpace and Facebook for quotes in May, that the two companies quickly rolled out fixes (behold, the power of the media).

One month ago, I filed a complaint with the FTC, arguing that Google intentionally leaks its users' search queries to third parties via browser referrer headers. Unlike the Facebook leakage episode, in which it is generally acknowledged that Facebook didn't know about the leakage, Google has repeatedly gone out of its way to make sure this leakage continues, and has publicly confirmed that it is a feature, not a bug.

Now today, the Wall Street Journal has another blockbuster article on referrer leakage. This time, it is Facebook apps that are leaking Facebook user IDs to third parties, including advertising networks and data aggregators like Rapleaf.

It is certainly reasonable to point the finger at companies like Zynga, whose Farmville game has been confirmed by experts to be leaking users' Facebook IDs. However, as the Electronic Frontier Foundation's Peter Eckersley told the WSJ today, "The thing that is perhaps surprising is how much of a privacy problem referers have turned out to be."

These referrer leakage problems are not going to go away, and depending on hundreds of thousands of different websites and apps to take proactive steps to protect their users' privacy is doomed to failure. As such, we need to look to the web browser vendors to fix this problem, since, after all, it is the web browser that sends the referrer header in the first place.

Referrer headers and the browser vendors

The original HTTP standard, dating from 1996, which defined the core technical standard used by web browsers noted that the referrer header feature had significant potential for privacy problems:

Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

Fast forward 14 years, and only two web browsers, Firefox and Chrome, offer a feature to disable the transmission of the referrer header. Internet Explorer and Safari, which are used by 65% of users on the Internet, include no built in functionality to scrub or otherwise protect this information.

While Firefox and Chrome do include features to disable the referrer header, these features are not enabled by default, and enabling them requires technical knowledge that is beyond the vast majority of users.

For example, Firefox users must first type "about:config" into the location bar, navigate past a very scary warning, and then change an obscure preference from 1 to 2.

Likewise, Chrome requires that users start the browser from the command line with a undocumented parameter (‐no‐referrers):

It is time to embrace privacy by default

Earlier this summer, the European Article 29 Working Party released an extensive report on privacy and behavioral advertising. The report (pdf) called on web browser vendors to play a more important role in protecting users, and to embrace privacy by default. While the Working Party was primarily describing cookie controls, the same message applies to referrer headers:

"Given the importance that browser settings play in ensuring that data subjects effectively give their consent to the storage of cookies and the processing of their information, it seems of paramount importance for browsers to be provided with default privacy-protective settings. In other words, to be provided with the setting of 'non-acceptance and non-transmission of third party cookies'. To complement this and to make it more effective, the browsers should require users to go through a privacy wizard when they first install or update the browser and provide for an easy way of exercising choice during use. The Working Party 29 calls upon browser makers to take urgent action and coordinate with ad network providers."

It is time for the browser vendors to listen to this advice. Had IE, Firefox, Chrome and Safari blocked (or at least partially scrubbed) referring headers by default, the leakage from Facebook that the Wall Street Journal highlighted today would never have occurred.

13 comments:

As earlier articles in the WSJ series made clear, the companies that develop and own the major browsers are the same companies that own and operate the major ad networks. The conflict of interest doesn't explain everything, but it doesn't bode well.

In the meantime, I recommend RefControl: http://www.stardrifter.org/refcontrol/

In fact, RefControl can execute all the things you recommend on Bugzilla: retaining the referer within sites, disabling referers to third party sites, and truncating referers to top-level domains for third party sites.

That said, I very much agree that these features should be implemented by default in private browsing modes.

Has the community expressed any interest in your request and recommendation?

Many sites use referral data for fair reasons like to prevent 'steeling' bandwidth by so called hotlinking to (large) files. The default browser setting should be to send the referrer only within the same domain, and to block it for third party sites. Otherwise browsing the web will become a nightmare for both users and webmasters around the globe.

This is a really well thought-out article. Referer requests are an issue. Firefox, IE, Safari, Chrome, and other browsers (like mobile browsers) should all have an easy way to manage this so one can stay private if they chose to.

Interestingly enough, the referenced spec basically points out that the producers/consumers of the refer tag need to be careful in what they put in there: "Because the source of a link may be private information or may reveal an otherwise private information source".

While I am a big proponent of the Browsers incorporating more secure/privacy tools and functionality, this is on sites themselves to maintain.

The referrer is very important in site to site communication. If two sites need to communicate with one another, whose to say they won't just use a web service between the two to send that data anyway?

The problem is not so much that browser vendors are not modifying or forging the referer header but that users are notproperly educated to surf the web cautiously. If they were, I bet that either browser vendors would already have included such a feature by default or the users would already deploy such add-ons like JonDoFox (http://anonymous-proxy-servers.net/en/software.html) which have a referer spoofing by default without breaking sites. Either way, you would not need to make your proposal which shows that it just cures a symptom but not the main problem.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.